* [PATCH] tracing: Fix out-of-range read in trace_stack_print()
@ 2019-06-10 4:00 Eiichi Tsukata
2019-06-14 20:31 ` Steven Rostedt
0 siblings, 1 reply; 3+ messages in thread
From: Eiichi Tsukata @ 2019-06-10 4:00 UTC (permalink / raw)
To: rostedt, mingo, linux-kernel; +Cc: Eiichi Tsukata
Puts range check before dereferencing the pointer.
Reproducer:
# echo stacktrace > trace_options
# echo 1 > events/enable
# cat trace > /dev/null
KASAN report:
==================================================================
BUG: KASAN: use-after-free in trace_stack_print+0x26b/0x2c0
Read of size 8 at addr ffff888069d20000 by task cat/1953
CPU: 0 PID: 1953 Comm: cat Not tainted 5.2.0-rc3+ #5
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-2.fc30 04/01/2014
Call Trace:
dump_stack+0x8a/0xce
print_address_description+0x60/0x224
? trace_stack_print+0x26b/0x2c0
? trace_stack_print+0x26b/0x2c0
__kasan_report.cold+0x1a/0x3e
? trace_stack_print+0x26b/0x2c0
kasan_report+0xe/0x20
trace_stack_print+0x26b/0x2c0
print_trace_line+0x6ea/0x14d0
? tracing_buffers_read+0x700/0x700
? trace_find_next_entry_inc+0x158/0x1d0
s_show+0xea/0x310
seq_read+0xaa7/0x10e0
? seq_escape+0x230/0x230
__vfs_read+0x7c/0x100
vfs_read+0x16c/0x3a0
ksys_read+0x121/0x240
? kernel_write+0x110/0x110
? perf_trace_sys_enter+0x8a0/0x8a0
? syscall_slow_exit_work+0xa9/0x410
do_syscall_64+0xb7/0x390
? prepare_exit_to_usermode+0x165/0x200
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f867681f910
Code: b6 fe ff ff 48 8d 3d 0f be 08 00 48 83 ec 08 e8 06 db 01 00 66 0f 1f 44 00 00 83 3d f9 2d 2c 00 00 75 10 b8 00 00 00 00 04
RSP: 002b:00007ffdabf23488 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f867681f910
RDX: 0000000000020000 RSI: 00007f8676cde000 RDI: 0000000000000003
RBP: 00007f8676cde000 R08: ffffffffffffffff R09: 0000000000000000
R10: 0000000000000871 R11: 0000000000000246 R12: 00007f8676cde000
R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000000ec0
Allocated by task 1214:
save_stack+0x1b/0x80
__kasan_kmalloc.constprop.0+0xc2/0xd0
kmem_cache_alloc+0xaf/0x1a0
getname_flags+0xd2/0x5b0
do_sys_open+0x277/0x5a0
do_syscall_64+0xb7/0x390
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Freed by task 1214:
save_stack+0x1b/0x80
__kasan_slab_free+0x12c/0x170
kmem_cache_free+0x8a/0x1c0
putname+0xe1/0x120
do_sys_open+0x2c5/0x5a0
do_syscall_64+0xb7/0x390
entry_SYSCALL_64_after_hwframe+0x44/0xa9
The buggy address belongs to the object at ffff888069d20000
which belongs to the cache names_cache of size 4096
The buggy address is located 0 bytes inside of
4096-byte region [ffff888069d20000, ffff888069d21000)
The buggy address belongs to the page:
page:ffffea0001a74800 refcount:1 mapcount:0 mapping:ffff88806ccd1380 index:0x0 compound_mapcount: 0
flags: 0x100000000010200(slab|head)
raw: 0100000000010200 dead000000000100 dead000000000200 ffff88806ccd1380
raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888069d1ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888069d1ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888069d20000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888069d20080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888069d20100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Fixes: 4a9bd3f134dec ("tracing: Have dynamic size event stack traces")
Signed-off-by: Eiichi Tsukata <devel@etsukata.com>
---
kernel/trace/trace_output.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/trace/trace_output.c b/kernel/trace/trace_output.c
index 54373d93e251..ba751f993c3b 100644
--- a/kernel/trace/trace_output.c
+++ b/kernel/trace/trace_output.c
@@ -1057,7 +1057,7 @@ static enum print_line_t trace_stack_print(struct trace_iterator *iter,
trace_seq_puts(s, "<stack trace>\n");
- for (p = field->caller; p && *p != ULONG_MAX && p < end; p++) {
+ for (p = field->caller; p && p < end && *p != ULONG_MAX; p++) {
if (trace_seq_has_overflowed(s))
break;
--
2.21.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] tracing: Fix out-of-range read in trace_stack_print()
2019-06-10 4:00 [PATCH] tracing: Fix out-of-range read in trace_stack_print() Eiichi Tsukata
@ 2019-06-14 20:31 ` Steven Rostedt
2019-06-30 9:03 ` Eiichi Tsukata
0 siblings, 1 reply; 3+ messages in thread
From: Steven Rostedt @ 2019-06-14 20:31 UTC (permalink / raw)
To: Eiichi Tsukata; +Cc: mingo, linux-kernel, Thomas Gleixner
On Mon, 10 Jun 2019 13:00:16 +0900
Eiichi Tsukata <devel@etsukata.com> wrote:
> Puts range check before dereferencing the pointer.
>
> Reproducer:
>
> # echo stacktrace > trace_options
> # echo 1 > events/enable
> # cat trace > /dev/null
>
>
Thanks I applied this.
>
> Fixes: 4a9bd3f134dec ("tracing: Have dynamic size event stack traces")
Actually it fixes:
4285f2fcef80 ("tracing: Remove the ULONG_MAX stack trace hackery")
Because before that, a ULONG_MAX was inserted into the buffer.
-- Steve
> Signed-off-by: Eiichi Tsukata <devel@etsukata.com>
> ---
> kernel/trace/trace_output.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/trace/trace_output.c b/kernel/trace/trace_output.c
> index 54373d93e251..ba751f993c3b 100644
> --- a/kernel/trace/trace_output.c
> +++ b/kernel/trace/trace_output.c
> @@ -1057,7 +1057,7 @@ static enum print_line_t trace_stack_print(struct trace_iterator *iter,
>
> trace_seq_puts(s, "<stack trace>\n");
>
> - for (p = field->caller; p && *p != ULONG_MAX && p < end; p++) {
> + for (p = field->caller; p && p < end && *p != ULONG_MAX; p++) {
>
> if (trace_seq_has_overflowed(s))
> break;
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] tracing: Fix out-of-range read in trace_stack_print()
2019-06-14 20:31 ` Steven Rostedt
@ 2019-06-30 9:03 ` Eiichi Tsukata
0 siblings, 0 replies; 3+ messages in thread
From: Eiichi Tsukata @ 2019-06-30 9:03 UTC (permalink / raw)
To: Steven Rostedt; +Cc: mingo, linux-kernel, Thomas Gleixner
On 2019/06/15 5:31, Steven Rostedt wrote:
...
>
>>
>> Fixes: 4a9bd3f134dec ("tracing: Have dynamic size event stack traces")
>
> Actually it fixes:
>
> 4285f2fcef80 ("tracing: Remove the ULONG_MAX stack trace hackery")
>
> Because before that, a ULONG_MAX was inserted into the buffer.
>
> -- Steve
Thank you for the advice.
Now there is no ULONG_MAX marker, so I should have fixed it by just
removing `*p != ULONG_MAX` check, right?
Thanks
Eiichi
>
>> Signed-off-by: Eiichi Tsukata <devel@etsukata.com>
>> ---
>> kernel/trace/trace_output.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/kernel/trace/trace_output.c b/kernel/trace/trace_output.c
>> index 54373d93e251..ba751f993c3b 100644
>> --- a/kernel/trace/trace_output.c
>> +++ b/kernel/trace/trace_output.c
>> @@ -1057,7 +1057,7 @@ static enum print_line_t trace_stack_print(struct trace_iterator *iter,
>>
>> trace_seq_puts(s, "<stack trace>\n");
>>
>> - for (p = field->caller; p && *p != ULONG_MAX && p < end; p++) {
>> + for (p = field->caller; p && p < end && *p != ULONG_MAX; p++) {
>>
>> if (trace_seq_has_overflowed(s))
>> break;
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-06-30 9:04 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-10 4:00 [PATCH] tracing: Fix out-of-range read in trace_stack_print() Eiichi Tsukata
2019-06-14 20:31 ` Steven Rostedt
2019-06-30 9:03 ` Eiichi Tsukata
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).